I am currently trying to setup a router for my homenetwork using linux
(Archlinux to be more specific). The embedded board i am using has 3
lan interfaces, called wan0, lan0, lan1 and two wifi cards, called
wifi0 and wifi1. I want to have two separate networks, one for my guests
and for my family and me. My current setup looks like this :

I configured a bridge containing lan0 and wifi0, called brd0, with ip
address 192.168.10.1/24 and a bridge containing lan1 and wifi1, called
brd1, with ip address 192.168.20.1/24. On brd0 as well as brd1 dnsmasq
is running in dhcpd mode to propagate ip addresses to clients in the
range 192.168.10.50-125 for brd0 and range 192.168.20.50-125 for
brd1. The 192.168.20.1/24 network is my guest network, while
192.168.10.1/24 is my home network.

This setup works so far. However, one thing took me by surprise. I
though, because guest and home network are in two different subnets
the traffic between them is also separated. However, when i am connect
to the guest network i can also reach services and computers on the
home network, even though no static router or forwarding is set. ( the
other way around is also true). I guess this has something to do how
bridge devices work under linux.

My question is, how to configure the router so that both networks are
separated form each other? Do I need to use traffic filter rules? Can
this be implemented with etables? Or is my setup somehow broken and it
should not be possible to reach service from one network to the other?

1 Answer
1

I'll use the text as reference, since your interface names don't match between picture and text.

The router is routing between all its interfaces where it has an IP, so brd0 (home), brd1 (guest) and wan0 (which you forgot to add in the picture), as expected from a router.

Since you'll have later to route between brd0 and wan0 as well as between brd1 and wan0 you can't simply disable routing. You can use two iptables FORWARD rules to forbid this routing, one for each direction:

Note: systems from one network can still ping the router's IP belonging to the other network (eg from 192.168.20.2, ping 192.168.10.1 would succeed) since it's not routed, so not traversing those FORWARD rules, but that'd be a bit overkill to address it (with correct rules in the INPUT chain). I just leave it as a remark.

Note2: nothing in this answer needed to be dealing with the fact that brd0 and brd1 are bridges: it's all about routing.